CVE-2025-68241

In the Linux kernel, the following vulnerability has been resolved:

ipv4: route: Prevent rtbindexception() from rebinding stale fnhe

The sit driver's packet transmission path calls: sittunnelxmit() -> updateorcreatefnhe(), which lead to fnheremoveoldest() being called to delete entries exceeding FNHERECLAIM_DEPTH+random.

The race window is between fnheremoveoldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's _mkrouteoutput() -> findexception() can fetch the soon-to-be-deleted fnheX, and rtbindexception() then binds it with a new dst using a dsthold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked.

CPU 0 CPU 1 _mkrouteoutput() findexception() [fnheX] updateorcreatefnhe() fnheremoveoldest() [fnheX] rtbindexception() [bind dst] RCU callback [fnheX freed, dst leak]

This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device:

unregister_netdevice: waiting for sitX to become free. Usage count = N

Ido Schimmel provided the simple test validation method [1].

The fix clears 'oldest->fnhedaddr' before calling fnheflushroutes(). Since rtbind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed.

[1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1